We are the IDP and we implemented SAML 2 using openSAML 3.2 library. We are integrating with one of our SPs and it works fine if we sign the assertion and encryption is disabled on our side. If we enable encryption then it fails with one of the following errors:
Sign and encrypt assertion - fails with Invalid digital signature (23)
encrypt assertion and sign the whole response - fails with Invalid digital signature (23)
sign and encrypt assertion and sign the whole response - fails with Invalid digital signature (23)
sign message (without encryption) - SAML assertion is unsigned(20)
sign assertion (without encryption) - SUCCESS
Has anyone faced this issue before? Any pointers would be greatly appreciated.
Finally we were able to resolve this. Posting the answer as it may help others who might face this issue.
While signing the assertion we had to set CanonicalizationMethod as 'CanonicalizationMethod.EXCLUSIVE'